CVE-2020-9758
CRITICALLiveZilla < 8.0.1.3 - Unauthenticated Stored Cross-Site Scripting via Name Parameter
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2020-9758. PoCs published by ari034.
AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2020-9758, a blind JavaScript injection vulnerability in LiveZilla Live Chat 8.0.1.3. The vulnerability allows unauthenticated attackers to perform stored XSS via the 'name' parameter, leading to credential leakage and privilege escalation.
Description
An issue was discovered in chat.php in LiveZilla Live Chat 8.0.1.3 (Helpdesk). A blind JavaScript injection lies in the name parameter. Triggering this can fetch the username and passwords of the helpdesk employees in the URI. This leads to a privilege escalation, from unauthenticated to user-level access, leading to full account takeover. The attack fetches multiple credentials because they are stored in the database (stored XSS). This affects the mobile/chat URI via the lgn and psswrd parameters.
Exploits (1)
This repository provides a detailed technical analysis of CVE-2020-9758, a blind JavaScript injection vulnerability in LiveZilla Live Chat 8.0.1.3. The vulnerability allows unauthenticated attackers to perform stored XSS via the 'name' parameter, leading to credential leakage and privilege escalation.
References (1)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H